US20190289032A1 - Mitigation of ntp amplification and reflection based ddos attacks - Google Patents
Mitigation of ntp amplification and reflection based ddos attacks Download PDFInfo
- Publication number
- US20190289032A1 US20190289032A1 US15/925,662 US201815925662A US2019289032A1 US 20190289032 A1 US20190289032 A1 US 20190289032A1 US 201815925662 A US201815925662 A US 201815925662A US 2019289032 A1 US2019289032 A1 US 2019289032A1
- Authority
- US
- United States
- Prior art keywords
- ntp
- request
- response
- security device
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/535—Tracking the activity of the user
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/28—Timers or timing mechanisms used in protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- Embodiments of the present invention relate generally to mitigation of distributed denial of service (DDoS) attacks on Internet infrastructure specifically those using Network Time Protocol (NTP).
- DDoS distributed denial of service
- NTP Network Time Protocol
- Amplification involves, sending a small packet to a server and getting back a much larger packet in response. If the server is open to receiving packets, it can be used to reflect spoofed attacks and send the responses back to a victim which had nothing to do with the original request. If the ratio of the response packet to the original small request packet is high, the amplification is considered high.
- DNS Domain Name System
- SSDP Simple Service Discovery Protocol
- SNMP Simple Network Management Protocol
- Portmap Portmap
- SQL Structured Query Language
- a tracking table is maintained by a network security device protecting a private network.
- the tracking table contains information regarding network time protocol (NTP) requests originated by clients associated with the private network and observed by the network security device.
- NTP network time protocol
- An NTP request sent from a client to an NTP server external to the private network is intercepted by the network security device.
- An NTP request flooding attack on the NTP server by the client is mitigated by the network security device by: (i) determining based on the tracking table whether a prior NTP request directed to the NTP server and for which an NTP response has yet to be received was sent by the client within a predetermined or configurable time period of the NTP request; and (ii) when said determining is affirmative, dropping the NTP request.
- FIG. 1 illustrates an NTP reflection attack via an unsecured NTP server.
- FIG. 2 illustrates the concept of amplification in NTP attacks.
- FIG. 3 illustrates the primary components for NTP DDoS attack mitigation in accordance with an embodiment of the present invention.
- FIG. 4 is a flow diagram illustrating a method of detecting and mitigating duplicate NTP requests from the same source IP address in accordance with an embodiment of the present invention.
- FIG. 5 is a flow diagram illustrating a method of mitigating unsolicited NTP response floods in accordance with an embodiment of the present invention.
- FIG. 6 illustrates an exemplary computer system in which or with which embodiments of the present invention may be utilized.
- a DDoS attack mitigation module comprises an apparatus that classifies NTP packets and its parameters and validates the headers for anomalies. Another component of the mitigation includes a rate monitor for multiple parameters. According to another embodiment of the invention, a meter maintains and monitors for unsolicited NTP requests. Yet another component of the mitigation system consists of an NTP request/response matching system to mitigated unsolicited responses.
- Embodiments of the present disclosure may be provided as a computer program product, which may include a machine-readable storage medium embodying thereon instructions, which may be used to program a computer (or other electronic devices) to perform a process.
- the machine-readable medium may include, but is not limited to, fixed (hard) drives, magnetic tape, floppy diskettes, optical disks, compact disc read-only memories (CD-ROMs), and magneto-optical disks, semiconductor memories, such as ROMs, PROMs, random access memories (RAMs), programmable read-only memories (PROMs), erasable PROMs (EPROMs), electrically erasable PROMs (EEPROMs), flash memory, magnetic or optical cards, or other type of media/machine-readable medium suitable for storing electronic instructions (e.g., computer programming code, such as software or firmware).
- Various methods described herein may be practiced by combining one or more machine-readable storage media containing the code according to the present disclosure with appropriate standard computer hardware to execute the code contained therein.
- An apparatus for practicing various embodiments of the present disclosure may involve one or more computers (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the disclosure could be accomplished by modules, routines, subroutines, or subparts of a computer program product.
- FIG. 1 illustrates an NTP reflection attack 100 in which an attacker 101 sends an unsolicited request to an unsecure NTP server 103 somewhere on the Internet 102 .
- the request is spoofed (i.e., having a source IP address of a victim server 104 ) so that NTP server 103 thinks that it must send a response to victim server 104 .
- victim server 104 can be overwhelmed with a distributed denial of service attack using the NTP protocol.
- FIG. 2 illustrates an NTP amplification attack 200 in which an attacker 201 sends an unsolicited request to an unsecure NTP server 203 somewhere on the Internet 202 .
- the request is a short packet (e.g., 64-bytes).
- this request may ask NTP server 203 to respond with list of past requesters. If NTP server 203 responds to such requests due to its configuration, the response size can be as large as 13,184 bytes. Additionally, due to spoofing of the request, the server 203 thinks that it must send a response to a victim server 204 . Thus, a 64-byte packet causes a 13,184 bytes response directed to victim server 204 .
- victim server 204 can be overwhelmed with an amplified distributed denial of service attack using the NTP protocol which can totally fill its Internet pipe denying service to legitimate users.
- FIG. 3 illustrates the primary components to mitigate spoofed reflection and amplification NTP-based DDoS attacks in accordance with an embodiment of the present invention.
- the primary mitigation components which may be implemented within a network security device 300 , such as a transparent gateway protecting a protected network, include an NIP Rate Anomaly Monitoring Engine 301 , an NIP Duplicate Request Prevention Engine 302 , an NTP Unsolicited Response Prevention Engine 303 and an NTP Unsolicited Request Mitigation Engine 304 , which may collectively be referred to as a NTP DDoS detection engine or module.
- NTP Rate Anomaly Monitoring Engine 301 is easy to imagine for those having ordinary skill in the art and is not described here in details. Its purpose is to monitor the rates of NTP requests, responses and determine whether the rates are above normal established rates. When the rates are higher than normal it informs the other modules of this state so that they can take extraordinary actions.
- NTP duplicate request prevention engine 302 determines whether a current NTP request is duplicative of an earlier NTP request observed by the transparent gateway, for example, by implementing the method described with reference to FIG. 4 (below).
- NTP unsolicited response prevention engine 303 confirms an NTP response observed by the transparent gateway corresponds to an NTP request previously observed by the transparent gateway, for example, by implementing the method described with reference to FIG. 5 (below).
- NTP unsolicited request prevention engine 304 tracks NTP requesters that have made NTP requests to an NTP server residing within a protected network by, for example, maintaining and using a data structure, for example, containing the information noted in Table 4 (below) to track legitimate requesters and limit responses to those legitimate requesters during an NTP request flood.
- a client sends an NTP protocol packet to a server and records the time the packet left the client in the Origin Timestamp field (T1).
- the server records the time the packet was received (T2).
- the server then assembles a response packet with the original Origin Timestamp and the Receive Timestamp equal to the packet receive time.
- the server sets the Transmit Timestamp to the time that the message is passed back toward the client (T3).
- the client then records the time the packet arrived (T4), giving the client four time measurements, as shown in Table 1.
- Table 2 depicts an exemplary NTP request and response packet according to the Network Time Protocol Version 4: Protocol and Algorithms Specification, Internet Engineering Task Force (IETF) Request for Comments (RFC) 5905, which is hereby incorporated by reference in its entirety for all purposes.
- IETF Internet Engineering Task Force
- RRC Request for Comments
- NTP operates over the User Datagram Protocol (UDP).
- UDP User Datagram Protocol
- An NTP server listens for client NTP packets on UDP port 123.
- the NTP server is stateless.
- the server responds to each received client NTP packet in a simple transactional manner by adding fields to the received packet and passing the packet back to the original sender.
- the key thing to note here is that the Mode field in Table 2 has a value of 3 when the client sends the request and 4 when the server sends a response.
- a response should not be directed to a client if it never sent a request.
- this fact is used to block unsolicited responses by maintaining a list of outgoing requests (e.g., those egressing a private network).
- Such a scheme can be useful when the NTP client is inside a protected network and the NTP server is outside the protected network. That is, the NTP requests are outbound and the NTP responses are inbound.
- software logic, hardware logic or a combination thereof is deployed between the client and server in the form of network security device (e.g., a transparent gateway) and is therefore a party to all communication between the clients and the servers that take place via the gateway.
- Table 3 depicts an exemplary memory table for tracking the NTP requests and responses in an embodiment of this invention.
- An NTP Client Source IP, Client Source Port and NTP Server destination IP uniquely identifies a request tuple for tracking purposes. Additional parameters viz. Mode and Timeout help timeout the entry after a certain time period so that the entry doesn't perpetually remain in the memory.
- the entry is removed either when the gateway logic observes a matching response or when the timeout occurs without the server responding.
- the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
- LRU least recently used
- a 3-tuple consisting of IP address, Source Port and the Destination IP can be converted to a hash using algorithms, including, but not limited to, Message Digest algorithm 5 (MD5), Secure Hash Algorithm (SHA) (e.g., SHA-1, SHA-2, SHA-3, SHA-256, SHA-512), Cyclic Redundancy Check (CRC) (e.g., CRC32).
- MD5 Message Digest algorithm 5
- SHA Secure Hash Algorithm
- CRC Cyclic Redundancy Check
- the depth of this table depends on the number of bits in the hash. For example, if the hash has 20 bits, the table can have 1 M entries.
- This 3-tuple is used to index and thus search for an incoming tuple to perform a duplicate check or an absence check.
- FIG. 4 is a flow diagram illustrating a method of processing an NTP request in accordance with an embodiment of the present invention.
- an NTP request packet is received from a Source IP address, with a Source UDP port and with a Destination IP address.
- this 3-tuple is used to find the presence of an existing entry in an NTP request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above).
- the 3-tuple is already present in the table at block 405 , it means a request associated with this 3-tuple has already been observed and this duplicate request may represent a possible attack or misbehavior from a client. This ensures that any single IP address cannot send consecutive NTP requests to the same NTP sever too soon (e.g., within a predefined and/or configurable time period) when a request is already pending. This avoids scripted attacks which simply flood an NTP server with requests one after another.
- NTP requests may be discarded and not allowed to reach the destination NTP server by block 406 .
- FIG. 5 is a flow diagram illustrating a method of processing an NTP response in accordance with an embodiment of the present invention.
- an NTP response packet is received from a Source IP address, with a Source UDP port and with a Destination IP address.
- this 3-tuple is used to find the presence of an existing entry an NPT request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above).
- an NPT request and response tracking table e.g., the NTP request/response matching table of Table 3 described above.
- the 3-tuple When the 3-tuple is already present in the table at block 506 , it means a request has been observed traversing the gateway. Therefore, the corresponding response is allowed to pass through and the entry is deleted from the NTP request and response tracking table.
- Table 4 depicts an exemplary memory table for tracking NTP requesters in an embodiment of this invention.
- a protected NTP server e.g., one residing within a protected network protected by a transparent gateway implementing the DDoS mitigation techniques described herein
- responds positively to an NTP Client Source IP an entry is added to this table for that source IP.
- These source IPs are considered legitimate requesters.
- the entry is removed when a timeout occurs, the timeout being controlled by a setting by the administrator.
- the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
- LRU least recently used
- Table 4 The purpose of Table 4 is to let only legitimate IP addresses issue NTP requests during a period when too many requests are being seen by the gateway. That is during an NTP request flood. This reduces the load on the NTP server by a scheme of selection.
- the threshold for such number of requests may be set behaviorally based on past data by Rate Anomaly Monitoring Engine 301 . This scheme allows the gateway to restrict un-solicited NTP requests during an NTP request flood.
- FIG. 6 is an exemplary computer system in which or with which embodiments of the present invention may be utilized.
- computer system 600 represents a network security device (e.g., network security device 300 , such as a transparent gateway) that, among other things, performs NTP request and response processing to detect and mitigate NTP request and/or response flooding.
- network security device 300 e.g., network security device 300 , such as a transparent gateway
- NTP request and response processing to detect and mitigate NTP request and/or response flooding.
- Embodiments of the present disclosure include various steps, which have been described above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware.
- computer system 600 includes an external storage device 610 , a bus 620 , a main memory 630 , a read only memory 640 , amass storage device 650 , communication port 660 , and a processor 670 .
- computer system 600 may include more than one processor and communication ports.
- processor 670 examples include, but are not limited to, an Intel® Itanium® or Itanium 2 processor(s), or AMD® Opteron® or Athlon MP® processor(s), Motorola® lines of processors, FortiSOCTM system on a chip processors or other future processors.
- Processor 670 may include various modules associated with embodiments of the present invention.
- Communication port 660 can be any of an RS-232 port for use with a modem based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports.
- Communication port 660 may be chosen depending on a network, such a Local Area Network (LAN), Wide Area Network (WAN), or any network to which computer system 600 connects.
- LAN Local Area Network
- WAN Wide Area Network
- Memory 630 can be Random Access Memory (RAM), or any other dynamic storage device commonly known in the art.
- Read only memory 640 can be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chips for storing static information e.g., start-up or BIOS instructions for processor 670 .
- PROM Programmable Read Only Memory
- Mass storage 650 may be any current or future mass storage solution, which can be used to store information and/or instructions.
- Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and/or Firewire interfaces), e.g. those available from Seagate (e.g., the Seagate Barracuda 7200 family) or Hitachi (e.g., the Hitachi Deskstar 7K1000), one or more optical discs, Redundant Array of Independent Disks (RAID) storage, e.g. an array of disks (e.g., SATA arrays), available from various vendors including Dot Hill Systems Corp., LaCie, Nexsan Technologies, Inc. and Enhance Technology, Inc.
- PATA Parallel Advanced Technology Attachment
- SATA Serial Advanced Technology Attachment
- SSD Universal Serial Bus
- Firewire interfaces e.g.,
- Bus 620 communicatively couples processor(s) 670 with the other memory, storage and communication blocks.
- Bus 620 can be, e.g. a Peripheral Component Interconnect (PCI)/PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), USB or the like, for connecting expansion cards, drives and other subsystems as well as other buses, such a front side bus (FSB), which connects processor 670 to software system.
- PCI Peripheral Component Interconnect
- PCI-X PCI Extended
- SCSI Small Computer System Interface
- FFB front side bus
- operator and administrative interfaces e.g. a display, keyboard, and a cursor control device, may also be coupled to bus 620 to support direct operator interaction with computer system 600 .
- Other operator and administrative interfaces (not shown) can be provided through network connections connected through communication port 610 .
- External storage device 640 can be any kind of external hard-drives, floppy drives, IOMEGA® Zip Drives, Compact Disc-Read Only Memory (CD-ROM), Compact Disc-Re-Writable (CD-RW), Digital Video Disk-Read Only Memory (DVD-ROM). Components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system limit the scope of the present disclosure.
- any digital computer systems can be configured or otherwise programmed to implement the methods and apparatuses disclosed herein, and to the extent that a particular digital computer system is configured to implement the methods and apparatuses of this invention, it is within the scope and spirit of the present invention.
- a digital computer system is programmed to perform particular functions pursuant to computer-executable instructions from program software that implements the present invention, it in effect becomes a special purpose computer particular to the present invention.
- the techniques necessary to achieve this are well known to those skilled in the art and thus are not further described herein.
- Computer executable instructions implementing the methods and techniques of the present invention can be distributed to users on a computer-readable medium and are often copied onto a hard disk or other storage medium. When such a program of instructions is to be executed, it is usually loaded into the random access memory of the computer, thereby configuring the computer to act in accordance with the techniques disclosed herein. All these operations are well known to those skilled in the art and thus are not further described herein.
- the term “computer-readable medium” encompasses distribution media, intermediate storage media, execution memory of a computer, and any other medium or device capable of storing for later reading by a computer a computer program implementing the present invention.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
- This application may relate to the subject matter of U.S. Pat. No. 7,426,634 entitled, “Method and apparatus for rate based denial of service attack detection and prevention”, U.S. Pat. No. 7,602,731 entitled “System and method for integrated header, state, rate and content anomaly prevention with policy enforcement”, U.S. Pat. No. 7,626,940 entitled “System and method for integrated header, state, rate and content anomaly prevention for domain name service”, and U.S. Pat. No. 9,729,509 entitled “System and Method for Integrated Header, State, Rate and Content Anomaly Prevention for Session Initiation Protocol” all of which are hereby incorporated by reference in their entirety for all purposes.
- Contained herein is material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction of the patent disclosure by any person as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights to the copyright whatsoever. Copyright 2018, Fortinet, Inc.
- Embodiments of the present invention relate generally to mitigation of distributed denial of service (DDoS) attacks on Internet infrastructure specifically those using Network Time Protocol (NTP).
- Based on industry surveys and published data, amplification based DDoS attacks have been growing. Amplification involves, sending a small packet to a server and getting back a much larger packet in response. If the server is open to receiving packets, it can be used to reflect spoofed attacks and send the responses back to a victim which had nothing to do with the original request. If the ratio of the response packet to the original small request packet is high, the amplification is considered high.
- Common protocols which are used for reflection, include, but are not limited to, Domain Name System (DNS), NTP, Chargen, Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP), Portmap, and Structured Query Language (SQL).
- When an NTP reflection attack is launched against a server it gets a barrage of packets from random sources. On this victim network, it is difficult to differentiate between which is a legitimate request or a legitimate response and therefore appliances such as firewall or Intrusion Prevention System (IPS) appliances cannot stop such attacks easily. That's because the requests or the responses on their own may sometimes be perfectly legitimate in structure according to the standards of the protocol. Clearly, a new method is needed to differentiate legitimate requests and responses from the attack packets. The purpose of such differentiation is important to isolate and sift such packets and protect the servers while allowing legitimate packets to go through.
- Systems and methods are described for stateful inspection of NTP requests and responses to mitigate DDoS attacks. According to one embodiment, a tracking table is maintained by a network security device protecting a private network. The tracking table contains information regarding network time protocol (NTP) requests originated by clients associated with the private network and observed by the network security device. An NTP request sent from a client to an NTP server external to the private network is intercepted by the network security device. An NTP request flooding attack on the NTP server by the client is mitigated by the network security device by: (i) determining based on the tracking table whether a prior NTP request directed to the NTP server and for which an NTP response has yet to be received was sent by the client within a predetermined or configurable time period of the NTP request; and (ii) when said determining is affirmative, dropping the NTP request.
- Other features of embodiments of the present disclosure will be apparent from accompanying drawings and from detailed description that follows.
-
FIG. 1 illustrates an NTP reflection attack via an unsecured NTP server. -
FIG. 2 illustrates the concept of amplification in NTP attacks. -
FIG. 3 illustrates the primary components for NTP DDoS attack mitigation in accordance with an embodiment of the present invention. -
FIG. 4 is a flow diagram illustrating a method of detecting and mitigating duplicate NTP requests from the same source IP address in accordance with an embodiment of the present invention. -
FIG. 5 is a flow diagram illustrating a method of mitigating unsolicited NTP response floods in accordance with an embodiment of the present invention. -
FIG. 6 illustrates an exemplary computer system in which or with which embodiments of the present invention may be utilized. - Systems and methods are described for mitigating DDoS attacks utilizing Network Time Protocol (NTP). According to one embodiment, a DDoS attack mitigation module comprises an apparatus that classifies NTP packets and its parameters and validates the headers for anomalies. Another component of the mitigation includes a rate monitor for multiple parameters. According to another embodiment of the invention, a meter maintains and monitors for unsolicited NTP requests. Yet another component of the mitigation system consists of an NTP request/response matching system to mitigated unsolicited responses.
- Embodiments of the present disclosure may be provided as a computer program product, which may include a machine-readable storage medium embodying thereon instructions, which may be used to program a computer (or other electronic devices) to perform a process. The machine-readable medium may include, but is not limited to, fixed (hard) drives, magnetic tape, floppy diskettes, optical disks, compact disc read-only memories (CD-ROMs), and magneto-optical disks, semiconductor memories, such as ROMs, PROMs, random access memories (RAMs), programmable read-only memories (PROMs), erasable PROMs (EPROMs), electrically erasable PROMs (EEPROMs), flash memory, magnetic or optical cards, or other type of media/machine-readable medium suitable for storing electronic instructions (e.g., computer programming code, such as software or firmware).
- Various methods described herein may be practiced by combining one or more machine-readable storage media containing the code according to the present disclosure with appropriate standard computer hardware to execute the code contained therein. An apparatus for practicing various embodiments of the present disclosure may involve one or more computers (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the disclosure could be accomplished by modules, routines, subroutines, or subparts of a computer program product.
-
FIG. 1 illustrates an NTPreflection attack 100 in which anattacker 101 sends an unsolicited request to anunsecure NTP server 103 somewhere on the Internet 102. The request is spoofed (i.e., having a source IP address of a victim server 104) so that NTPserver 103 thinks that it must send a response tovictim server 104. When a multitude of such requests reach NTPserver 103 from multiple compromised attackers or spoofing attackers,victim server 104 can be overwhelmed with a distributed denial of service attack using the NTP protocol. -
FIG. 2 illustrates an NTPamplification attack 200 in which anattacker 201 sends an unsolicited request to anunsecure NTP server 203 somewhere on theInternet 202. The request is a short packet (e.g., 64-bytes). In an exemplary situation, this request may ask NTPserver 203 to respond with list of past requesters. If NTPserver 203 responds to such requests due to its configuration, the response size can be as large as 13,184 bytes. Additionally, due to spoofing of the request, theserver 203 thinks that it must send a response to avictim server 204. Thus, a 64-byte packet causes a 13,184 bytes response directed tovictim server 204. When a multitude of such requests reach NTPserver 203 from multiple compromised attackers or spoofing attackers,victim server 204 can be overwhelmed with an amplified distributed denial of service attack using the NTP protocol which can totally fill its Internet pipe denying service to legitimate users. -
FIG. 3 illustrates the primary components to mitigate spoofed reflection and amplification NTP-based DDoS attacks in accordance with an embodiment of the present invention. In the context of the present example, the primary mitigation components, which may be implemented within anetwork security device 300, such as a transparent gateway protecting a protected network, include an NIP Rate Anomaly Monitoring Engine 301, an NIP Duplicate Request Prevention Engine 302, an NTP Unsolicited Response Prevention Engine 303 and an NTP Unsolicited Request Mitigation Engine 304, which may collectively be referred to as a NTP DDoS detection engine or module. - NTP Rate Anomaly Monitoring Engine 301 is easy to imagine for those having ordinary skill in the art and is not described here in details. Its purpose is to monitor the rates of NTP requests, responses and determine whether the rates are above normal established rates. When the rates are higher than normal it informs the other modules of this state so that they can take extraordinary actions.
- According to one embodiment NTP duplicate
request prevention engine 302 determines whether a current NTP request is duplicative of an earlier NTP request observed by the transparent gateway, for example, by implementing the method described with reference toFIG. 4 (below). - According to one embodiment, NTP unsolicited
response prevention engine 303 confirms an NTP response observed by the transparent gateway corresponds to an NTP request previously observed by the transparent gateway, for example, by implementing the method described with reference toFIG. 5 (below). - According to one embodiment, NTP unsolicited
request prevention engine 304 tracks NTP requesters that have made NTP requests to an NTP server residing within a protected network by, for example, maintaining and using a data structure, for example, containing the information noted in Table 4 (below) to track legitimate requesters and limit responses to those legitimate requesters during an NTP request flood. - In an exemplary situation, a client sends an NTP protocol packet to a server and records the time the packet left the client in the Origin Timestamp field (T1). The server records the time the packet was received (T2). The server then assembles a response packet with the original Origin Timestamp and the Receive Timestamp equal to the packet receive time. The server sets the Transmit Timestamp to the time that the message is passed back toward the client (T3). The client then records the time the packet arrived (T4), giving the client four time measurements, as shown in Table 1. These four parameters are passed into the client timekeeping function to drive a clock synchronization function, which is described in further detail below.
-
TABLE 1 Key Timestamps in NTP Timestamp Name ID Generated at Origin T1 Time request Timestamp sent by the client Receive T2 Time request Timestamp received by the server Transmit T3 Time reply sent Timestamp by the server Destination T4 Time reply Timestamp received by the client. - Table 2 (below) depicts an exemplary NTP request and response packet according to the Network Time Protocol Version 4: Protocol and Algorithms Specification, Internet Engineering Task Force (IETF) Request for Comments (RFC) 5905, which is hereby incorporated by reference in its entirety for all purposes.
-
TABLE 2 Structure of NTP Request and Response Packets LI VN Mode Stratum Poll Precision Root Delay Root Dispersion Reference Identifier Reference Timestamp (64) Origin Timestamp (64) Receive Timestamp (64) Transmit Timestamp (64) Optional Extension Field 1 (variable) Optional Extension Field 2 (variable) Optional Key/Algorithm Identifier (32) Optional Message Digest (128) - NTP operates over the User Datagram Protocol (UDP). An NTP server listens for client NTP packets on UDP port 123. The NTP server is stateless. The server responds to each received client NTP packet in a simple transactional manner by adding fields to the received packet and passing the packet back to the original sender. The key thing to note here is that the Mode field in Table 2 has a value of 3 when the client sends the request and 4 when the server sends a response. A response should not be directed to a client if it never sent a request. In an embodiment of this invention, this fact is used to block unsolicited responses by maintaining a list of outgoing requests (e.g., those egressing a private network). Such a scheme can be useful when the NTP client is inside a protected network and the NTP server is outside the protected network. That is, the NTP requests are outbound and the NTP responses are inbound. In an embodiment of this invention, software logic, hardware logic or a combination thereof is deployed between the client and server in the form of network security device (e.g., a transparent gateway) and is therefore a party to all communication between the clients and the servers that take place via the gateway.
- Table 3 (below) depicts an exemplary memory table for tracking the NTP requests and responses in an embodiment of this invention. An NTP Client Source IP, Client Source Port and NTP Server destination IP uniquely identifies a request tuple for tracking purposes. Additional parameters viz. Mode and Timeout help timeout the entry after a certain time period so that the entry doesn't perpetually remain in the memory. In one embodiment, the entry is removed either when the gateway logic observes a matching response or when the timeout occurs without the server responding. In yet another embodiment, the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
-
TABLE 3 NTP Request/Response Matching Table Client Client Server IP Source Destination Index Address Port IP Timeout 0 a.b.c.d x x t 1 : : : : : : : : : : : 2{circumflex over ( )}n : - The hardware implementation of such tables is well known to those in the art and therefore is not described here for brevity and may be implemented using schemes such as hash-based addressing using a large dynamic random access memory (DRAM). Since IP addresses can be 32-bits and 128-bits wide, but the table depth is limited to 2{circumflex over ( )}n available spaces—as shown in Table 3, a hash based scheme is known to work well.
- According to an embodiment of this invention, a 3-tuple consisting of IP address, Source Port and the Destination IP can be converted to a hash using algorithms, including, but not limited to, Message Digest algorithm 5 (MD5), Secure Hash Algorithm (SHA) (e.g., SHA-1, SHA-2, SHA-3, SHA-256, SHA-512), Cyclic Redundancy Check (CRC) (e.g., CRC32). The depth of this table depends on the number of bits in the hash. For example, if the hash has 20 bits, the table can have 1 M entries. This 3-tuple is used to index and thus search for an incoming tuple to perform a duplicate check or an absence check.
-
FIG. 4 is a flow diagram illustrating a method of processing an NTP request in accordance with an embodiment of the present invention. - At
block 401, an NTP request packet is received from a Source IP address, with a Source UDP port and with a Destination IP address. - At
block 402, this 3-tuple is used to find the presence of an existing entry in an NTP request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above). - At
block 403, if the 3-tuple does not exist in the table, a new entry is created atblock 404. - If the 3-tuple is already present in the table at
block 405, it means a request associated with this 3-tuple has already been observed and this duplicate request may represent a possible attack or misbehavior from a client. This ensures that any single IP address cannot send consecutive NTP requests to the same NTP sever too soon (e.g., within a predefined and/or configurable time period) when a request is already pending. This avoids scripted attacks which simply flood an NTP server with requests one after another. - Depending on the administrator's choice, such NTP requests may be discarded and not allowed to reach the destination NTP server by
block 406. -
FIG. 5 is a flow diagram illustrating a method of processing an NTP response in accordance with an embodiment of the present invention. - At
block 501, an NTP response packet is received from a Source IP address, with a Source UDP port and with a Destination IP address. - At
block 502, this 3-tuple is used to find the presence of an existing entry an NPT request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above). - At
block 503, if the 3-tuple does not exist in the table, it implies a possible reflection attack since no request was observed by the gateway. Such a response thus can be optionally dropped atblock 505 by the gateway depending on the administrator's choice. - When the 3-tuple is already present in the table at
block 506, it means a request has been observed traversing the gateway. Therefore, the corresponding response is allowed to pass through and the entry is deleted from the NTP request and response tracking table. - Table 4 (below) depicts an exemplary memory table for tracking NTP requesters in an embodiment of this invention. When a protected NTP server (e.g., one residing within a protected network protected by a transparent gateway implementing the DDoS mitigation techniques described herein) responds positively to an NTP Client Source IP, an entry is added to this table for that source IP. These source IPs are considered legitimate requesters. In one embodiment, the entry is removed when a timeout occurs, the timeout being controlled by a setting by the administrator. In yet another embodiment, the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
-
TABLE 4 Legitimate NTP Requester IP Tracking Table Client IP Index Address Timeout 0 a.b.c.d t 1 : : : : : : : : : : : : : : : : : 2{circumflex over ( )}n : : - The purpose of Table 4 is to let only legitimate IP addresses issue NTP requests during a period when too many requests are being seen by the gateway. That is during an NTP request flood. This reduces the load on the NTP server by a scheme of selection. The threshold for such number of requests may be set behaviorally based on past data by Rate
Anomaly Monitoring Engine 301. This scheme allows the gateway to restrict un-solicited NTP requests during an NTP request flood. -
FIG. 6 is an exemplary computer system in which or with which embodiments of the present invention may be utilized. In an embodiment,computer system 600 represents a network security device (e.g.,network security device 300, such as a transparent gateway) that, among other things, performs NTP request and response processing to detect and mitigate NTP request and/or response flooding. Embodiments of the present disclosure include various steps, which have been described above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware. - As shown in the figure,
computer system 600 includes anexternal storage device 610, abus 620, amain memory 630, a read onlymemory 640, amass storage device 650, communication port 660, and a processor 670. Those skilled in the art appreciate thatcomputer system 600 may include more than one processor and communication ports. - Examples of processor 670 include, but are not limited to, an Intel® Itanium® or Itanium 2 processor(s), or AMD® Opteron® or Athlon MP® processor(s), Motorola® lines of processors, FortiSOC™ system on a chip processors or other future processors. Processor 670 may include various modules associated with embodiments of the present invention.
- Communication port 660 can be any of an RS-232 port for use with a modem based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports. Communication port 660 may be chosen depending on a network, such a Local Area Network (LAN), Wide Area Network (WAN), or any network to which
computer system 600 connects. -
Memory 630 can be Random Access Memory (RAM), or any other dynamic storage device commonly known in the art. Read onlymemory 640 can be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chips for storing static information e.g., start-up or BIOS instructions for processor 670. - Mass storage 650 may be any current or future mass storage solution, which can be used to store information and/or instructions. Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and/or Firewire interfaces), e.g. those available from Seagate (e.g., the Seagate Barracuda 7200 family) or Hitachi (e.g., the Hitachi Deskstar 7K1000), one or more optical discs, Redundant Array of Independent Disks (RAID) storage, e.g. an array of disks (e.g., SATA arrays), available from various vendors including Dot Hill Systems Corp., LaCie, Nexsan Technologies, Inc. and Enhance Technology, Inc.
-
Bus 620 communicatively couples processor(s) 670 with the other memory, storage and communication blocks.Bus 620 can be, e.g. a Peripheral Component Interconnect (PCI)/PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), USB or the like, for connecting expansion cards, drives and other subsystems as well as other buses, such a front side bus (FSB), which connects processor 670 to software system. Optionally, operator and administrative interfaces, e.g. a display, keyboard, and a cursor control device, may also be coupled tobus 620 to support direct operator interaction withcomputer system 600. Other operator and administrative interfaces (not shown) can be provided through network connections connected throughcommunication port 610. -
External storage device 640 can be any kind of external hard-drives, floppy drives, IOMEGA® Zip Drives, Compact Disc-Read Only Memory (CD-ROM), Compact Disc-Re-Writable (CD-RW), Digital Video Disk-Read Only Memory (DVD-ROM). Components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system limit the scope of the present disclosure. - Although embodiments of the present invention and their various advantages have been described in detail, it should be understood that the present invention is not limited to or defined by what is shown or discussed herein.
- Moreover, as one skilled in the art will appreciate, any digital computer systems can be configured or otherwise programmed to implement the methods and apparatuses disclosed herein, and to the extent that a particular digital computer system is configured to implement the methods and apparatuses of this invention, it is within the scope and spirit of the present invention. Once a digital computer system is programmed to perform particular functions pursuant to computer-executable instructions from program software that implements the present invention, it in effect becomes a special purpose computer particular to the present invention. The techniques necessary to achieve this are well known to those skilled in the art and thus are not further described herein.
- Computer executable instructions implementing the methods and techniques of the present invention can be distributed to users on a computer-readable medium and are often copied onto a hard disk or other storage medium. When such a program of instructions is to be executed, it is usually loaded into the random access memory of the computer, thereby configuring the computer to act in accordance with the techniques disclosed herein. All these operations are well known to those skilled in the art and thus are not further described herein. The term “computer-readable medium” encompasses distribution media, intermediate storage media, execution memory of a computer, and any other medium or device capable of storing for later reading by a computer a computer program implementing the present invention.
- Accordingly, drawings, tables, and description disclosed herein illustrate technologies related to the invention, show examples of the invention, and provide examples of using the invention and are not to be construed as limiting the present invention. Known methods, techniques, or systems may be discussed without giving details, so to avoid obscuring the principles of the invention. As it will be appreciated by one of ordinary skill in the art, the present invention can be implemented, modified, or otherwise altered without departing from the principles and spirit of the present invention. Therefore, the scope of the present invention should be determined by the following claims and their legal equivalents.
Claims (16)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/925,662 US10868828B2 (en) | 2018-03-19 | 2018-03-19 | Mitigation of NTP amplification and reflection based DDoS attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/925,662 US10868828B2 (en) | 2018-03-19 | 2018-03-19 | Mitigation of NTP amplification and reflection based DDoS attacks |
Publications (2)
Publication Number | Publication Date |
---|---|
US20190289032A1 true US20190289032A1 (en) | 2019-09-19 |
US10868828B2 US10868828B2 (en) | 2020-12-15 |
Family
ID=67906356
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/925,662 Active 2038-10-29 US10868828B2 (en) | 2018-03-19 | 2018-03-19 | Mitigation of NTP amplification and reflection based DDoS attacks |
Country Status (1)
Country | Link |
---|---|
US (1) | US10868828B2 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112615870A (en) * | 2020-12-22 | 2021-04-06 | 北京天融信网络安全技术有限公司 | Method and device for detecting attack behavior based on NTP message data |
CN112953956A (en) * | 2021-03-05 | 2021-06-11 | 中电积至(海南)信息技术有限公司 | Reflection amplifier identification method based on active and passive combination |
Citations (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030145231A1 (en) * | 2002-01-31 | 2003-07-31 | Poletto Massimiliano Antonio | Architecture to thwart denial of service attacks |
US20040095926A1 (en) * | 2002-10-25 | 2004-05-20 | General Instrument Corporation | Method for monitoring performance of network using IP measurement protocol packets |
US20070268938A1 (en) * | 2006-05-19 | 2007-11-22 | Dowd Gregory Louis | Network time protocol precision timestamping service |
US7339886B2 (en) * | 2002-08-16 | 2008-03-04 | Lg Electronics, Inc. | System and method for synchronizing SGSNs and a GGSN |
US20080109891A1 (en) * | 2006-11-03 | 2008-05-08 | Greenwald Michael B | Methods and apparatus for delivering control messages during a malicious attack in one or more packet networks |
US20090055499A1 (en) * | 2007-08-22 | 2009-02-26 | International Business Machines Corporation | Administration Of Time-Sensitive Email |
US20120066500A1 (en) * | 2010-07-07 | 2012-03-15 | Siemens Aktiengesellschaft | Method of Time Synchronization Communication |
US20130347103A1 (en) * | 2012-06-21 | 2013-12-26 | Mark Veteikis | Packet capture for error tracking |
US20140043994A1 (en) * | 2013-03-28 | 2014-02-13 | Hcl Technologies Limited | Providing Feedback To Media Senders Over Real Time Transport Protocol (RTP) |
US8838817B1 (en) * | 2007-11-07 | 2014-09-16 | Netapp, Inc. | Application-controlled network packet classification |
US20140283030A1 (en) * | 2013-03-15 | 2014-09-18 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
US20150263966A1 (en) * | 2014-03-11 | 2015-09-17 | Anthony Blake | Methods and apparatus for cycle accurate time stamping at line rate throughput |
US20160006616A1 (en) * | 2014-07-02 | 2016-01-07 | Verizon Patent And Licensing Inc. | Intelligent network interconnect |
US20160043865A1 (en) * | 2014-08-06 | 2016-02-11 | The Government Of The United States Of America, As Represented By The Secretary Of The Navy | System and method for authenticating a network time protocol (ntp) |
US20160099964A1 (en) * | 2014-10-01 | 2016-04-07 | Ciena Corporation | Systems and methods to detect and defend against distributed denial of service attacks |
US9413783B1 (en) * | 2014-06-02 | 2016-08-09 | Amazon Technologies, Inc. | Network interface with on-board packet processing |
US20160239267A1 (en) * | 2015-02-18 | 2016-08-18 | Nxp B.V. | Modular multiplication using look-up tables |
US9542554B1 (en) * | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
US20170201537A1 (en) * | 2016-01-08 | 2017-07-13 | Belden, Inc. | Method and protection apparatus to prevent malicious information communication in ip networks by exploiting benign networking protocols |
US9805193B1 (en) * | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US20180041471A1 (en) * | 2014-11-19 | 2018-02-08 | Nippon Telegraph And Telephone Corporation | Control device, border router, control method, and control program |
US20180054475A1 (en) * | 2016-08-16 | 2018-02-22 | Microsoft Technology Licensing, Llc | Load balancing system and method for cloud-based network appliances |
US20180131717A1 (en) * | 2016-11-10 | 2018-05-10 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting distributed reflection denial of service attack |
US20180139228A1 (en) * | 2016-11-11 | 2018-05-17 | Juniper Networks, Inc. | Apparatus, system, and method for protecting against denial of service attacks using one-time cookies |
US20180205476A1 (en) * | 2014-07-16 | 2018-07-19 | Zte Corporation | Time synchronization method,programmable logic device,single board and network element |
US20190020658A1 (en) * | 2016-01-07 | 2019-01-17 | Genetec Inc. | Network sanitization for dedicated communication function and edge enforcement |
US20190132071A1 (en) * | 2016-04-14 | 2019-05-02 | Nippon Telegraph And Telephone Corporation | Sensor synchronization method, sensor data acquisition terminal, and sensor network system |
US20190132931A1 (en) * | 2016-04-21 | 2019-05-02 | Philips Lighting Holding B.V. | Systems and methods for verifying credentials |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7657934B2 (en) * | 2002-01-31 | 2010-02-02 | Riverbed Technology, Inc. | Architecture to thwart denial of service attacks |
US7383577B2 (en) * | 2002-05-20 | 2008-06-03 | Airdefense, Inc. | Method and system for encrypted network management and intrusion detection |
US8966270B2 (en) * | 2006-12-29 | 2015-02-24 | Alcatel Lucent | Methods and systems for providing controlled access to the internet |
US20110083179A1 (en) * | 2009-10-07 | 2011-04-07 | Jeffrey Lawson | System and method for mitigating a denial of service attack using cloud computing |
US20120198541A1 (en) * | 2011-02-02 | 2012-08-02 | Reeves Randall E | Methods and apparatus for preventing network intrusion |
KR20140008237A (en) * | 2012-07-10 | 2014-01-21 | 한국전자통신연구원 | Packet transmission and reception apparatus and method in mmt hybrid transmissing service |
US9350706B1 (en) * | 2013-03-15 | 2016-05-24 | Centurylink Intellectual Property Llc | Network traffic data scrubbing with services offered via anycasted addresses |
WO2016035083A2 (en) * | 2014-09-06 | 2016-03-10 | Andriani Matthew | Non-disruptive ddos testing |
US20160127408A1 (en) * | 2014-10-31 | 2016-05-05 | NxLabs Limited | Determining vulnerability of a website to security threats |
WO2017079412A1 (en) * | 2015-11-03 | 2017-05-11 | Axiom, Inc. | Methods and apparatus for system having denial of services (dos) resistant multicast |
KR102462830B1 (en) * | 2016-03-02 | 2022-11-04 | 한국전자통신연구원 | Apparatus and Method of Detecting the Distributed Reflection Denial of Service Attack based on the Flow Information |
US10171493B2 (en) * | 2016-03-05 | 2019-01-01 | Sears Brands, L.L.C. | Method and system to dynamically obfuscate a web services interface |
US11277439B2 (en) * | 2016-05-05 | 2022-03-15 | Neustar, Inc. | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks |
US10992536B2 (en) * | 2016-08-15 | 2021-04-27 | At&T Intellectual Property I, L.P. | Method and apparatus to control anycast traffic using a software defined network controller |
CN106534209B (en) * | 2016-12-29 | 2017-12-19 | 广东睿江云计算股份有限公司 | A kind of method and system for shunting reflection-type DDOS flows |
GB201704931D0 (en) * | 2017-03-28 | 2017-05-10 | Indigovision Ltd | Monitoring devices and methods for IP surveillance networks |
US10587621B2 (en) * | 2017-06-16 | 2020-03-10 | Cisco Technology, Inc. | System and method for migrating to and maintaining a white-list network security model |
US10547715B2 (en) * | 2017-06-16 | 2020-01-28 | Cisco Technology, Inc. | Event generation in response to network intent formal equivalence failures |
US10819685B2 (en) * | 2018-03-02 | 2020-10-27 | Futurewei Technologies, Inc. | Lightweight secure autonomic control plane |
-
2018
- 2018-03-19 US US15/925,662 patent/US10868828B2/en active Active
Patent Citations (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030145231A1 (en) * | 2002-01-31 | 2003-07-31 | Poletto Massimiliano Antonio | Architecture to thwart denial of service attacks |
US7339886B2 (en) * | 2002-08-16 | 2008-03-04 | Lg Electronics, Inc. | System and method for synchronizing SGSNs and a GGSN |
US20040095926A1 (en) * | 2002-10-25 | 2004-05-20 | General Instrument Corporation | Method for monitoring performance of network using IP measurement protocol packets |
US20070268938A1 (en) * | 2006-05-19 | 2007-11-22 | Dowd Gregory Louis | Network time protocol precision timestamping service |
US20080109891A1 (en) * | 2006-11-03 | 2008-05-08 | Greenwald Michael B | Methods and apparatus for delivering control messages during a malicious attack in one or more packet networks |
US20090055499A1 (en) * | 2007-08-22 | 2009-02-26 | International Business Machines Corporation | Administration Of Time-Sensitive Email |
US8838817B1 (en) * | 2007-11-07 | 2014-09-16 | Netapp, Inc. | Application-controlled network packet classification |
US20120066500A1 (en) * | 2010-07-07 | 2012-03-15 | Siemens Aktiengesellschaft | Method of Time Synchronization Communication |
US20130347103A1 (en) * | 2012-06-21 | 2013-12-26 | Mark Veteikis | Packet capture for error tracking |
US20140283030A1 (en) * | 2013-03-15 | 2014-09-18 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
US20140043994A1 (en) * | 2013-03-28 | 2014-02-13 | Hcl Technologies Limited | Providing Feedback To Media Senders Over Real Time Transport Protocol (RTP) |
US20150263966A1 (en) * | 2014-03-11 | 2015-09-17 | Anthony Blake | Methods and apparatus for cycle accurate time stamping at line rate throughput |
US9413783B1 (en) * | 2014-06-02 | 2016-08-09 | Amazon Technologies, Inc. | Network interface with on-board packet processing |
US20160006616A1 (en) * | 2014-07-02 | 2016-01-07 | Verizon Patent And Licensing Inc. | Intelligent network interconnect |
US20180205476A1 (en) * | 2014-07-16 | 2018-07-19 | Zte Corporation | Time synchronization method,programmable logic device,single board and network element |
US20160043865A1 (en) * | 2014-08-06 | 2016-02-11 | The Government Of The United States Of America, As Represented By The Secretary Of The Navy | System and method for authenticating a network time protocol (ntp) |
US20160099964A1 (en) * | 2014-10-01 | 2016-04-07 | Ciena Corporation | Systems and methods to detect and defend against distributed denial of service attacks |
US20180041471A1 (en) * | 2014-11-19 | 2018-02-08 | Nippon Telegraph And Telephone Corporation | Control device, border router, control method, and control program |
US9542554B1 (en) * | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
US9805193B1 (en) * | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US20160239267A1 (en) * | 2015-02-18 | 2016-08-18 | Nxp B.V. | Modular multiplication using look-up tables |
US20190020658A1 (en) * | 2016-01-07 | 2019-01-17 | Genetec Inc. | Network sanitization for dedicated communication function and edge enforcement |
US20170201537A1 (en) * | 2016-01-08 | 2017-07-13 | Belden, Inc. | Method and protection apparatus to prevent malicious information communication in ip networks by exploiting benign networking protocols |
US20190132071A1 (en) * | 2016-04-14 | 2019-05-02 | Nippon Telegraph And Telephone Corporation | Sensor synchronization method, sensor data acquisition terminal, and sensor network system |
US20190132931A1 (en) * | 2016-04-21 | 2019-05-02 | Philips Lighting Holding B.V. | Systems and methods for verifying credentials |
US20180054475A1 (en) * | 2016-08-16 | 2018-02-22 | Microsoft Technology Licensing, Llc | Load balancing system and method for cloud-based network appliances |
US20180131717A1 (en) * | 2016-11-10 | 2018-05-10 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting distributed reflection denial of service attack |
US20180139228A1 (en) * | 2016-11-11 | 2018-05-17 | Juniper Networks, Inc. | Apparatus, system, and method for protecting against denial of service attacks using one-time cookies |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112615870A (en) * | 2020-12-22 | 2021-04-06 | 北京天融信网络安全技术有限公司 | Method and device for detecting attack behavior based on NTP message data |
CN112953956A (en) * | 2021-03-05 | 2021-06-11 | 中电积至(海南)信息技术有限公司 | Reflection amplifier identification method based on active and passive combination |
Also Published As
Publication number | Publication date |
---|---|
US10868828B2 (en) | 2020-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10097578B2 (en) | Anti-cyber hacking defense system | |
US11601456B2 (en) | Transparent inspection of traffic encrypted with perfect forward secrecy (PFS) | |
Deshmukh et al. | Understanding DDoS attack & its effect in cloud environment | |
US8245300B2 (en) | System and method for ARP anti-spoofing security | |
Whyte et al. | DNS-based Detection of Scanning Worms in an Enterprise Network. | |
US7266754B2 (en) | Detecting network denial of service attacks | |
Wong et al. | A survey of trends in massive DDoS attacks and cloud-based mitigations | |
US8856913B2 (en) | Method and protection system for mitigating slow HTTP attacks using rate and time monitoring | |
US10057213B2 (en) | Examining and controlling IPv6 extension headers | |
US9253153B2 (en) | Anti-cyber hacking defense system | |
US20070245417A1 (en) | Malicious Attack Detection System and An Associated Method of Use | |
US11811820B2 (en) | Malicious C and C channel to fixed IP detection | |
US10868828B2 (en) | Mitigation of NTP amplification and reflection based DDoS attacks | |
US20060248186A1 (en) | Network management and administration | |
US11503471B2 (en) | Mitigation of DDoS attacks on mobile networks using DDoS detection engine deployed in relation to an evolve node B | |
Ahmad et al. | A countermeasure mechanism for fast scanning malware | |
Zhou et al. | Limiting self-propagating malware based on connection failure behavior | |
US20230328107A1 (en) | Systems and methods for controlling access to an unadvertised cloud-based resource | |
Tupakula et al. | Analysis of traceback techniques | |
Ahmad | Early detection and containment of network worm | |
WO2023060881A1 (en) | Method and apparatus for identifying source address of message | |
TWI702510B (en) | Method and device for finding amalicious encrypted connection fingerprint | |
US20230396648A1 (en) | Detecting ddos attacks by correlating inbound and outbound network traffic information | |
Mishra et al. | A systematic survey on DDoS attack and data confidentiality issue on cloud servers | |
Sagatov et al. | Countering DNS Amplification Attacks Based on Analysis of Outgoing Traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: FORTINET, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JAIN, HEMANT KUMAR;REEL/FRAME:045279/0566 Effective date: 20180319 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |